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(54) Open metering system with super password vault access 

(57) A SMper password is a one time use password 
that is issued to a user for the singular purpose of reini- 
tializtng the user password system for a meter. When 
the meter is manufactured, the meter and the Data 
Center share secret data such that they can execute a 
predefined and identical algorithm for secure communi- 
cation. Through such secure communications, the Data 
Center can authenticate a metering system, and the 
metering system can accept a predefined command 
from the Data Center securely Counters are used as 
data to encypt. One counter is used for the one way 
conrminication from the meter to the data center and 
counts the nufTt>er of times tfiat the meter issues a one 
time authentication code. Artother counter is used for 
the one way communication from the Data C^er to the 
meter and counts the nurTt>er of times that tfie Data 
Center issues a one time super password. The counters 
are used for two purposes: as data to be encrypted and 
to confirm the delivery of secure codes between the 
Data Center and the meter. The use of counters in the 
process eliminates protiiems tfiat undelivered mes- 
sages would create. 
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Description 

The present invention relates generally to value 
printing syst^iis and. mote particufarly, to value printing 
systems wherein a printer is not dedicated to a metering s 
module. 

The present application is related to the following 
-4J=Si Patent Applications Serial Nos. [Attariey Dockets 
E-415. E-416. E-417, E-4ia E-419. E-420. E-421, E- 
444. E-452 and E-466]. each faed concurrently here- io 
with, and assigned to the assignee of the present inven- 
tion. 

Postage metering systems are heing developed 
which employ digital printers to print encrypted informa- 
tion on a mailpiece. Such metering systems are pres- is 
ently categorized by the United States Postal Service as 
either closed systems or open systems. In a closed sys- 
tem, the system functionality is solely dedicated to 
metering activity. A dosed system metering device 
includes a dedicated printer securely coupled Vo a so 
metering or accounting function. In a closed system, 
since the printer is securely coupled and dedicated to 
the meter, printing cannot take place vintfK)ut account- 
ing. In an open metering system, the system functk>nal- 
ity is not dedicated solely to metering activity. An open zs 
system metering devk^ includes a printer that is not 
dedicated to the metering activity, thus freeing system 
functionality for multiple and diverse uses in additk>n to 
the nieteiing activity. An open system nietering device is 
a postage evkJencing device (PED) with a non-dedi- so 
cated printer that is rK>t securely coupled to a secure 
accounting modula ~ ' 

Typically, the postage value for a mailpiece is 
encrypted together with other data to generate a cfigital 
token which is then used to generate a postage incfida 35 
that is printed on the mailpiece. A digital token is 
encrypted infornnation that authentrcates the informa- 
tion imprinted on a mailpiece including postal value. 
Ex£UT!p!es of systerr^ lor generating and usirg digfta! 
tokens are descrft)ed in U S. Patent Na 4,757,537, 40 
4,631,555. 4,775.246. 4.873.645 and 4.725.718. the 
entire disdosifl-es of which are hereby incorporated by 
reference. These systenrs enrpioy an encryption algo- 
rithm to encrypt selected informatbn to generate at 
least one digi^ token lor each niailpiece. The encryp- 4s 
tion of the infonmation provk^es security to prevent alter- 
ing of the printed i nfor mat ion in a manner such that any 
misuse of the tokens is detectable by appropriate verifi- 
cation procedures. 

Typical information which may be encrypted as part so 
of a distal token indudes origination postal code, ven- 
dor identifk^ation. data identifying the PED, piece count 
postage amount date. and. for an open system, desti- 
nation postal code. These \^ems of informatk)n. collec- 
tively refenred to as Postal Data, when encrypted with a ss 
secret key and printed on a mail piece provide a very 
high levd of security which enables the detection of any 
atterrpted modification of a postal revenue block or a 
destination postal code. A postal revenue tslock is an 



image printed on a mail piece that indudes the digital 
token used to provtie evkJence of postage payment 
The Postal Data may be printed both in encrypted and 
unencrypted form in the postal revenue block. Postal 
Data serves as an irput to a Digital Toten Transfonra- 
tion which is a cryptographic transformation computa- 
tion that utilizes a secret to produce digital tokens. 
Resutts-of the Digital Token Tran ^or m a tion. i.e.. digital 
tokens, are available only after completk>n of the 
Accounting Process. 

Digital tokens are utilized in t»oth open and dosed 
nietering systems. However, for open metering sys- 
tems, the non-dedicated printer may be used to print 
other information in addition to the postal revenue tAodK 
and may t>e used in activity other than postage evkienc- 
ing. In an open system PED. addressee irrformatipn is 
induded in ttie Postal Data which is used in the genera- 
tion of the digital tokens. Such use of the addressee 
informatk>n creates a secure fink between the mai^eoe 
and the postal revenue biod^ and alksws urumribiguous 
authentication of the mail ^ece. 

Since open and closed metering systems functk>n 
as encryption devices, the nietering portk>n of the sys- 
tem must be secure k>gically as weD as physbaBy. Typi- 
cally, user access of an encryptbn device is controlled 
by a k>ck, such as. a k>ck to the room housing the 
device, ak>ckonthe devk:e itself, or a fo^cal bck such 
as the password that finvts access to the devk^e. If a 
passtmrd that controls access to an open or dosed 
metering system is forgotten, the device becomes use- 
less until the password can t>e replaced. Gently, the 
higher the level of security, the nK>re diff rcult the proce- 
dure to replace an existing password. Por example, 
metering systems require such a Ngh level of seority 
that a user may be required to send at least the meter- 
ing device. i.e.. the vault, to the manufacturing vendor to 
reinitialize the password protection system of the meter- 
ing device. When the metering device is returned to the 
user, the user crsix^^ a new passwoid wnlcii activates 
ttie password protection system for furttier use of the 
metering system. 

Users have been loKJwn to provide their own 'safety 
net* to prevent forgotten security passwords. Qenerally, 
a user may hkJe the security passwoid with the hope 
that it can be retrieved if ever the passwvond is forgotten. 
Knowing that this practfoe compromises the security of 
the password protectkxi system, users resort to such 
practice because the alternative, i.e.. fiaving to return 
the metering portion to the manufacturer, is a txirdm 
that prevents use of the metering system for a perfod of 
time. 

The present invention provides an aHemate proc- 
ess for reinitializing a user password system so that the 
metering unit does not have to be returned to the man- 
ufacturer when a us&r password is forgotten. In accord- 
ance with the present invention a super password, 
d^ined herein as a one time use password, is issued to 
a user fcH- the singular purpose of reinitializing the user 
p^sword system for the user's metering system. When 
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the metering system is manufactured, the metering urat 
i.e. the vault and the Data Center s^re secret data. 
The vault and the Data Center, both execute a prede- 
fined and identicai algorithm tor secure communication. 
Through such secure communications, the Data Center 
can authenticate a metering system, and the metering 
system can accept a pred^ined command from the 
Data Certter securely. 

When a user forgets the user password, the vault 
issues an &Krypted code that the includes the informa- 
tion of how many times the super password has been 
used. The user reports the code and serial numt>er to 
the data center. Using the code, the data center gener- 
ates the super password When ths is entered to the 
vault, H confirms the validity by perfornrvng its own 
encryption process. Sirice the ctete is used as part of 
encryption, the super password is valid only for the day 
of the report 

The present invention uses counters as data to 
encrypt One pair of counters, one in the meter and the 
corresponding one in the Data Center, is used for the 
one way communication from the meter to the data 
center. This pair counts the nuni>er of times that the 
meier issues a one time authentication code Similariy 
arxslher pair is used for the one way communication 
from the Data Center to the meter. This pair counts the 
number of tinges that the Data Center issues a one time 
super password. The counters are used for two pur- 
poses: as data to be encrypted and to conf rm the deliv- 
ery of secure codes between the Data Center and the 
meter. Such confirmation is necessary because the 
meter cannot confirm delivery of the authentication 
code to the Data Center. Likewise, the Data Center can- 
not confirm the delivery of super password to the meter. 
An example is that, even though the Data Center issued 
a sif>er password, the meter might not receive it or a 
user mig^ not have entered it to the meter. The use of 
counters in the process eliminates problems that unde- 
livered messages would create. 

The above and other objects and advantages of the 
pr^ent Invention will be apparent upon con^eration of 
the following detailed descrption. taken in corgunction 
with accompanying drawings, in which like reference 
characters refer to like parts throughout, and in which: 

Fig. 1 is a block diagram of a PC-based metering 
system in which the present invention is used; 
Fig. 2 is a schematic block diagram of the PC- 
based meterng system of Fig 1 including a remov- 
able vault card and a DLL in the PC; 
Fig. 3 is a block diagram of the DLL sutMnodules in 
the PC-based metering system of Fig. 1 ; 
Fig. 4 is a flow diagram of vault mode transitions in 
the PC-t>ased metering system of Rg. 1; 
Fig. 5 is a flow chart showing the preparation at 
manufacturing time for a super pasword system of 
the present invention; 

Fig. 6 is a flow chart showing the procedure to 
ot>tain a super password for one time use only 



whai a user forgets the user password; 
Fig. 7 is a flow chart of the authentication code gen- 
eration process from tfte nteter; 
Fig. 8 is afksw chart of the procedure for the meter 
5 to accept the super password from the Data Center; 
and 

Fig. 9 (9A and SB) is a flow chart of ttie Data Center 

accepting the authentication code and issuing the 
super password. 

TO 

In describing the present invention, reference Is 
made to the drawings, wtierein there is seen in Ft^. 1- 
4 an open system PC-t>ased postage meter, also 
referred to herein as a PC meter system, generaDy 

75 referred to as 10, in which the present invention pro- 
vides super password vault access when a user pass- 
word is forgotten. PC meter system 10 includes a 
conventional personal computer conf igured to operate 
as a host to a removable metering devfoe or electroruc 

20 vault generally referred to as 20. in wNch postage 
funds are stored. PC meter system 10 uses the per- 
sonai conrputer and its printer to print postage on enve- 
fopes at the same time it prints a recipient's address or 
to print labels for pre-addressed relum envelopes or 

2S large mai^eces. As used herein, the term personal 
computer is used genericalty arxi refers to present and 
future microprocessing systems with at least one proc- 
essor operati vely ooipled to user interface means, such 
as a di^ay and keyboard, and storage media. The per- 

30 sonal computer nnay be a workstation that is aocessitsle 
by more than one user. 

It will be understood that although the preferred 
embodim^ of the present invention is desofoed with 
regard to a postage metering system, the present inven- 
ts tion is applicable to any value metering system that 
includes a transaction evidencing. 

The PC-fcased postage meter 10 includes a per- 
sonal computer (PC) 12. a display 14, a keytx>ard 16, 
and an non-secured digital printer 18. preferatsly a la^ 

40 or ir^-jei printer. PC 1? includes a convenltonal proces- 
sor 22. such as the 80486 and Pentium processors 
marufactured Intel, arti oonventfonal haid drive 24. 
floppy drive(s) 26. and memory 28. Electroruc vault 20. 
whfoh is housed in a renxivable card, such as PCMCIA 

45 card30, is a secure ertcryption device for postage funds 
nr^nagement. digital token generation and traditionai 
accounting functkms. PC meter system 10 m^ also 
include an optional modem 29 which is focated prefera- 
bly ri PC 12. Modem 29 is for commurticating with a 

so Data Center for racharging funds (det>it or credit) and for 
requesting a super password in aocordarKe with the 
present invention. In an alternate embodiment the 
modem may t>e located in PCMCIA card 30. 

PC meter system 10 further includes a Windows- 

55 based PC sofhware module 34 (Figs. 3 and 4) that is 
accessible from conventional Windows^based word 
processing, database and spreadsheet application pro- 
grams 36. PC software module 34 includes a vault 
dynamic link Ibrary (DLL) 40. a user interface module 
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42. and a plurality of sub-modules that control the 
metering functiorts. DLL module 40 securely communl- 

* Gates with vault 20 and provides an open interface to 
Microsoft Windows-based application jyograms 36 
through user interface nxxlule 42. DLL module 40 also 
securely stores an indicia image and a copy of the 
usage of postal funds of the vault User interlace nrod- 

— ule 42 provides application programs 36 access to an 
electronic indicia image from DLL module 40 for printing 
the postal revenue block on a document such as an 
envelope or label. User interface module 42 also pro- 
vides application programs the capability to initiate 
remote ref flis and to perform adnrinistrative functions. 

Thus. PC-based meter system 10 operates as a 
conventional personal computer with attached printer 
that becomes a postage meter upon user request 
Printer 18 prints all documents nomially printed by a 
personal corrputer, including printing letters £Uid 
addressing envelopes, and in accordance with the 
present invention, prints postage indicia. 

"The vaidt is housed in a PCMCIA I/O device, or 
card. 30 which is accessed through a PCMCIA control- 
ler 32 in PC 12. A PCMCIA card is a credit card size 
perpheral or adapter that conforms to the standard 
specification of the Personal Computer Memory Card 
International Association. Referring now to Figs. 2 and 
3, the PCMCIA card 30 includes a microprocessor 44. 
redundant non-volatite memory (NVM) 46, dock 48. an 
encryption module 50 and an accounting module 52, 
The enayption nxxiule 50 may implenrent the NBS 
Data Encryption Standard (DES) or another suitable 
encryption scheme. In the preferred embodiment 
encryption nxxJule 50 is a software module. It wll be 
understood that encryption module 50 could also be a 
separator device, such as a separate chip connected to 
microprocessor 44. Accounting module 52 may be 
EEPROM that incorporates ascending and descending 

- registers as well as poste! dsta, sudi as originaticr: ZiP 
Code, vendor identification, data identitying the PC- 
based postage meter 10. sequential piece count of the 
postal revenue block generated by the PC-based post- 
age meter 10, postage anrwurt arxJ the date of sutKnis- 
sion to the Postal Service. As is known, an ascending 
register in a metering unit records the amount of post- 
age that has been dispensed. i.e.. issued by the vault in 
all transactions and the descending register records the 
value, i.e., amount of postage, remaining in the meter- 
ing urdt. which value decreases as postage is issued. 

The hardware design of the vaidt includes an inter- 
face 56 that communicates with the host processor 22 
through PCMCIA controller 32. Preferably, for added 
physical security, the components of vault 20 tfiat per- 
form the encryption and store the encryption keys 
(microprocessor 44. ROM 47 and NVM 46) are pack- 
aged in the same integrated circuit device/chip that is 
manufactured to be tamper proof. Such packaging 
ensures that the contents of NVM 46 may be read only 
by the encryption processor and are not accessible out- 
side of the integrated circuit device. Alternatively, the 



entire card 30 could be manufactured to be tarrper 
proof. 

DU. 40 includes the following software sub-mod- 
ules. Secure conrtmunications sutMnodule 80 controls 

5 communications between PC 1 2 and vEoilt 20. Transac- 
tion captures sub-module 32 stores transaction records 
in PC 12. Secure indida image creation and storage 
sidRnoclule 84 generates an indicia bitmap image and 
stores the image for subsequent printing. Appication 

10 interface sub-module 86 interiaces with non-metering 
application programs and issues requests tor digital 
tokens in response to requests for indicfa by the non- 
metering application programs. A more detaOed 
description of PC meter system 10 is provided in related 

75 U.S. Patent ApplicatkKi Serial No. [Attorney Docket E- 
421] filed concurrently herewitii. 

Generally, a conventional postage meter is 
equipped with a physical key to protect H from unauthor- 
ized access. However, for vault 20. a physical key Is rK3t 

20 practical because the vault is a snriall electronic deme 
void of mechanical parts. Thus, a user password system 
in the vault protects it from illegal attempts to access the 
vault A user can opt to use vault 20 without any protec- 
tion, or can activate the vault user password system. 

25 The password system of the vault is designed to 
protect tiie user posfal funds. When vault 20 is manu- 
factured, it niay tse operated without a user password. A 
user activates the password system by entering a user 
password. (Alternately, vault 20 may be manufactured 

30 such that the user password rnust be activated ipon ini- 
tial use.) Once the user password system is activated, 
the user must log into vault 20 by entering the user 
password so that PC meter system 10 ccin issue digital 
tokens lor an indicfa. The user can eitiier tog out from 

35 the vault or rely on a time-out feature that automattoally 
togs out from the vault if vault 20 is idto for a predeter- 
ntined amount of time. Each subsequent use requires 
reentry or ii'.e j^ei password. The user can ato change 
the user password or deactivate the user password sys- 

40 tem. 

In accordance with the present irventton. a super 
password system provides a process for repfacing a for- 
gotten user password. At manufacturing, vatit 20 cuid 
the Data Center shared secret data. Using such secret 

45 data, vault 20 and the Data Center can execute a prede- 
fined and identical algorithm for secure conmunication 
therebetween. In this manner, the Data Center can 
authenticate vault 20. and also vault 20 can accept a 
predefined command from the Data Center securely 

so The following description of the super password system 
refers to Figs. 5-9 which provide the detailed steps for 
such a system. In following description, the encryptkyi 
key is not updated so that description is straightforward. 
It will be understood tfiat changing the encryption key 

55 nrtakes tiie system more seojre. 

The present invention uses counters as data to 
encrypt. One pair of counters, one in the meter and ttie 
corresponding one in the Data Center, is used tor the 
one way communication from tiie meter to the data 



7 



EP0 780 8(»A2 



8 



center. This pair counts the number of times that the 
meter issues a one time authentication code. Similarly 
another pair ^ used for the one way communication 
from the Data Center to the meter. This pair counts the 
number of times that the Data Center issues a one time 5 
super password. The counters are leed for two pur- 
poses: as data to be encrypted and to confirm the deTiv- 
ery of secure codes between the Data Center and -the— 
meter. Such confirmation is necessary because the 
meter cannot confirm delivery of the authentication 10 
code to the Data Center. Likewise, the Data Center can- 
not confirm the delivery of super passwoid to the meter. 
An example is that, even though the Data Center issued 
a super password, the meter might not receive it or a 
user might not have entered it to the meter. The use of 75 
counters in the process eliminates problems that unde- 
livered messages would create. 

Referring now to Rg. 5. when a new postage meter 
is manufactured the super password system of the 
present invent on is initiafized. At step 100, a new vault so 
20 is programmed with the following parameters: meter 
serial number; an encryption key, such as a DES key. for 
the super password system: an Authentication Code 
Send Count (ACODE_SCpUlsrr); and a Super Pass- 
word Receive Count (SCODE_RCOUNT). The infomna- 2$ 
tion is sent to The Data Center where, at step 104, the 
Data Center creates a meter record including the fore- 
going parameters: meter serial number; the encryption 
key, such as a DES key. for the siper password system; 
the Authentication Code Receive Count so 
(ACODE_RCOUf4T); and the Super Password Send 
Count (SCODE^SCGUNT). The meter record is stored 
in a meter database. When the new vault 20 is sent to a 
user, at step 108, the super password system is initial- 
ized In the new vault 20 and at the Data Center. When as 
the user first uses PC-based metering system 10, the 
user enters a user password which prevents further use 
of the meter unless the user password is entered. 

Referring npw to Fig. 6, when a user forgets the 
user password the user, at st^ 112, sut^mits the meter 40 
serial number and the one time autiientication code to 
the Data -Center by phone or electronbally. At step 1 16. ~ 
the Data Center verifies tiie autfientication code and 
verifies the user with pre-registered information, such 
as mother's maiden name. After verification, the Data 45 
Center issues to the user, at step 120, a super pass- 
word that can t>e used only one time. The super pass- 
word may be entered into PC-based metering system 
10 electronically, or the user may enter the super pass- 
word manually. At step 124, if the super password so 
entered matdies the one internally calculated, then tiie 
met^ resets the user password system so that the user 
can enter a new user password. At this point PC-based 
metering system 10 is operational again with the new 
user password. 55 

Referring now to Rg. 7. an authentication code 
generation process which takes place in vault 20 is 
shown. At step 130. ttie encryption key and the Authen- 
tication Code Send Count (ACODE_SCOUNT). which 



were programmed into vault 20 during nranufacture. are 
read from NVI^ 46. At step 134, the encryption key is 
applied to the Authentication Code Send Count 
(ACODE_SCOUNT) to obtain encrypted data. For DES, 
the encrypted data is 64 bits k>r^. A five digit octal 
number is obtained from the encrypted data» at step 
136. The least significant 15 bits of the encrypted data 
are divided into five digits, each 3 bits tong. This five 
digit number the authentication code for one time use 
orriy 

Referring now to Fig. 8. a procedure is shown for 
meter acceptance of the super password received from 
the Data Center. At step 140, vault 20 receives the one 
time siper password through secure communications 
module 80. At step 144. the encryption key and the 
Super Password Receive Count (SCODE_RCOUNT); 
which were progranvned into vault 20 during manufac- 
ture, are read from NVM 46). At step 148, tiie encryp- 
tion key is applied to the Super Passwoid Receive 
Count (SCODE.RCOUNT) to otstain encrypted data. A 
five digit octal number is obtained from the encrypted 
data, at step 152. The least significant 15 bits of the 
encrypted data are divided into five digits, each 3 bits 
k>ng. At step 156. the received super password is oonv 
pared to the calculated, ff not the sane tiien the pass- 
word is rejected at step 158. If the same. then, at step 
160, vault 20 increments the Authentication Code Send 
Count (ACODE_SCOUNT) and the Super Password 
Receive Count (SCODE_RCOUNT) and stores them to 
ttie NVM 46. At step 164, vault 20 accepts the received 
super password and resets the user password. 

Refening now to Fig. 9(9A and 9B). a process is 
shown through which the Data Center accepts the 
authentk^on code and issues the stper password. At 
step 170. the Data Center receives the autiientication 
code. At step 174, The Data Center retrieves from As 
data b>ase tiie meter record corresponding to the m^er 
serial number of vault 20 and otrtains from the record 

^ tiie encryptk>n key, ttie Autfientication Code Rec^e 
Count (ACODE_RCOUNT). and the Super Password 

^ Send Count (SCODE^SCOUNT). At step 178, tiie Data 
Ceriter cakxitates an authenticatkm code by applying 
the encryption key to the Authentication Code Receive 
Count (ACODE_RCOUNT)to obtain encrypted data. A 
five digit octal number is obtained from the ericrypted 
data, at step 136. The least signifk^rit 15 bits of the 
encrypted data are divided into five cfigits, each 3 bits 
long. This five digit numk>er is the cateulated authentica- 
tion code. At step 182, the Data Center compares the 
received authentication code to the calculated one. If 
they are the same, then at step 186, the Data C^er 
creates a 5 digit octal code as tfie super password in the 
following manner. The encryption key }s applied to the 
Super Password Send Count (SCODEjSOOUNT)) to 
obtain encrypted data. A five digit octal nuni^ is 
obtained from the encrypted data, the least -significant 
15 bits of whk:h are divided into five digits, each 3 tDits 
long. This is the new super password tiiat iseent to the 
meter at step 190. 
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If, at step 182. the received authentication code 
was not the same hs the calculated one, then at step 
192, the AuthBrrrcation Code Receive Count 
(ACODE_RCOUNT) is increm^ed but not stored yel 
At step 194, the encryption key Is applied to the Authen- 
tication Code Receive Count (ACODE^RCOUNT) to 
obtain a calculated authentication code. At step 196, the 
received authentification code is compared to the calcu- 
lated one. If not the same, the received authentication 
code is rejected. If the same, then at step 198, the 
Authentication Code Receive' Count 
(ACODE_RCOUNT) is stored into the Data Center 
database, and the Super Password Send Count 
(S0ODE_SCOUNT)fe increnriented and stored into the 
database. 

Thus, the present invention provides a convenient 
method for reinitianzing the user password system of a 
metering system v«thout comproirrasing the security of 
the metering system or the password protection system. 
Wtule the present invention has been described for a 
preferred embodiment relating to a postage nretering 
system. It v«ll be understood by those skilled in the art 
that the present invention is also suitable for use in 
transaction evidencing systems in general, such as for 
monetary transactions, item transactions and informa- 
tfon transactk>ns. wherein such systems are protected 
by a secure user password system. 

While the present inventron has t>een disdosed and 
described with reference to a sin^e embKxJiment 
thereof, it wll be apparent, as noted above that varia- 
ttons and modif rcations may be made therein. It is, thus, 
intended in the fdkywing claims to cover each variation 
and modification that falls within the true spirit and 
scope off the present inventioa 

In the foregoing, the following attorney dock^ r^er- 
ences indicate the US-appfications shown in the follow- 
ing table. All these appticafions have corresponding 
Eurcoean Applicaiions fanti ai© i i&reby ihcorporat«c; 
herein by r^erence: 

E-415 Serial No 08/575,106 

E-416 No 08^5,107 

E^17 Serial rOa 08^4,746 

E-418 Serial Ho, 08/574,745 

E-419 Serial Na 08^75,1 10 

E-420 Serial Ma 08^74,743 

E-421 Serial Nkx 08^75,112 

E-444 Serial Na 08/575,109 

E-452 Serial Uo, 08/575,104 

E-463 Serial ^to. 08^74,749 

E-466 S^ No. 08^5,111 

E-462 Serial No. 08/588.499 

Claims 

1. A method of reinitializing a user password system 
in a transaction evidencing device, the method 
comprising the steps of: 
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40 



45 



50 



2. 



55 



sharing secret data in a the transaction evi- 
dencing devk;e and in a datat>ase at a data 
center for performing secure communications 
therebetween, the secret data including at least 
two counters and an encryption key; 
requesting for the transaction evidendrtg 
device a super password from the data center; 
authenticating at the data center the transac* 
tion evidencing device requesting the super 
password; 

issuing a super password from the data center 
for the authenticated transaction evidencing 
device; 

entering the super password into the transac- 
tion evidendng device; 

authenticating in the transaction evklerx^ing 
device the super password entered in the 
transaction evidencing device; and 
resetting the user password In the transaction 
evkJendng device upon verificatkm of the 
authenticity of the super password. 

The method of daim 1 . comprising the further steps 

requesting the super password directly from 
the transaction evidepdng device to the data 
center; and 

serxiing the super password directly from the 
data center to tiie transaction evidencing 
device. 

The method of daim 2, comprising the further steps 
of: 

storing the secret data in the transaction evi- 
dencing device and in a data center record cor- 
rssponding to tiie transaction evtdsndr^ 
device; and 

initializing the counters at manufacture of the 
transaction evidendng device. 

A metfKXI of reinitializbig a user password system 
in a metering system, the meltxxl comprising the 
steps of: 

sharing secret data in a meter and a data 
center* 

generating a one time authentication code ri 
the meter; 

sending a serial number and the one time 
authentication code from the meter to the data 
c^er; 

verifying at the data center the one time 
authentication code and the user requesting 
reinitialization of the user password system; 
issuing at the data center for the meter a one- 
time use. super password; 
entering the super password into the meter; 
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verifying the super password entered matches 
an internally calculated passM^ord; 
resetting the user password system in the 
meter upon the verification of the super pass- 
word. 5 

5. The method of daim 4 wherein the step of sharing 
seaet data comprises the further steps of: 

storing in the meter at the time of manufacture io 
an encryption key, an authentication code send 
count (ACODE^SCOUNT) and a super pass- 
word receive count (SCODE_RCX)UNT), each 
of the counts being initialized to a predeter- 
mined number; and 75 
storing a meter record in a database at the data 
center, the meter record containing parameters 
of the meter at the time of manufacture, the 
parameters irKluding meter serial number, the 
encryption key, an authentication code receive 20 
count (ACODE^RCOUNT); and a super pass- 
word send count (SCODE.SCOUNT), each of 
the courrts being initialized to the predeter- 
rruned rujmber. 

25 

6. The method of daim 5 wherein the step of generat- 
ing a one time authentication code in the meter 
comprises the further steps of : 

applying the autiientication code send count 30 
(ACODE_SCOUNT) to obtain encrypted data; 
and 

using predetermined fcdfts of the encrypted data 
to ol>tain the one time autiientication code. 

35 

7. The method of daim 6 wherein the steps of the data 
center verifying the one time autiientication code 
and issuing the super password comprise the fur- 
ther steps of: 

40 

receivirig the one time authentication code; V 
retrisving from the database the meter record 
corresponding to the serial number of the 
meter and ot^taining from the meter record the 
encryption key. the autiientication code receive 45 
count (ACODE.RCOUNT), and ttie super 
password send count (SCODE.SCOUNT) ; 
applying the encryption key to the authentica- 
tion code receive count (ACODE^RCOUIMT) to 
obtain encrypted data; so 
using predetermined bits of the encrypted data 
to obtain a cak:ulated authentication code, 
corrparing the one time authentication code to 
the calculated authentication code; and 
issuing tfie stper password if tiie one time ss 
authentication code matches the calculated 
authemication code. 



tiie super password comprises the further steps of : 

applying tiie encryption key to the S(f)er pass- 
word send count (SCODE.SCOUNT) to obtain 
encrypted data, and 

using predet^mined bits of ttie encryptiaddata 
to (Main tiie super password. 



9. The method of daim 8 compri^ng the further steps 

of: 

incrementing ttie autiientication code receive 
count (ACODE_RCOUNT) when tiie calcu- 
lated authentication code doesnot nniatch the 
one time authentication code; 
applying the encryption key the autiientication 
code receive count (AOODE^RCOUNT) to 
obtain a newly calculated auti^ienticatibn code; 
comparing the one time authentication code to 
the newly calculated cujtfienticatioh code; . 
rejecting tiie request for a super p^sword if tiie 
one time autiientication code does not match 
the newly calculated authentication code; and 
issuing the super password if the one time 
authentication code matches the newly cak:u- 
lated authentication code. 

10. The method of daim 5 wherein the step of verifying 
tiie super password entered matches an internaly 
calculated password comprises the further steps of: 

applying tiie encryption key to the super pass- 
word receive count (S0ODE_RCCXJNT) to 
otTtain encrypted data; 

using predetermined t>its of the encrypted data 
to obtain a calculated super password: 
comparing the cakxilated siper password to 
the entered super password; 
rejecting tiie entered stp^ password if the cal- 
culated super password does not match the 
entered super password; and , ^ \ 
accepting the super passwofd If the ddculated , 
super password does matdi the entered super 
password, and incrementing in the meter the 
authentication code send count 
(ACODE_SCOUNrr); and the super password 
receive count (SCODE.RCOUNT)- 



8. The method of daim 7 wherein the step of issuing 
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FIG. 9B 
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